Re: [ossec-list] syslog_output question

[Robert B]

That's perfect, exactly what I needed to know!   Thank you!

On Tuesday, July 11, 2017 at 3:58:37 AM UTC-4, Victor Fernandez wrote:
>
> Hi Robert,
>
> OSSEC should take these settings independently:
>
>- Configuration A will send alerts with level 8 or higher.
>- Configuration B will send alerts with level 4 or higher (including 
>alerts sent by the former setting) belonging to these groups.
>
> So you'll receive duplicate alerts. One option would be to enter every 
> groups but the specified in the configuration B.
>
> Let me tell you that Wazuh agents include an improvement that allow to 
> negate expressions. So you may use a setting like this one::
>
> 
> 8
> 192.168.0.5
> !invalid_login|adduser|blah|andsoon
> 
>
> 
> 4
> invalid_login|adduser|blah|andsoon
> 192.168.0.5
> 
>
>
> Hence you'll have alerts with level 4 or higher (even 8 or more) belonging 
> to these groups, plus alerts with level 8 or higher of any other group.
>
> Hope it help.
> Best regards.
>
>
> On Mon, Jul 10, 2017 at 10:29 PM, Robert B  > wrote:
>
>> This was a little unclear to me after reading the documenation and 
>> searching around...pardon if it's been asked and answered, I simply have 
>> not found it.
>>
>> We have a single server we want to send syslog output to, however, we 
>> also want to have different levels for some alerts.   Would it be as simple 
>> as two syslog_output sections, such as below, or would this create 
>> duplicate alerts, take the last syslog_output section, or can it be done in 
>> a single section?   
>>
>> 
>> 8
>> 192.168.0.5
>> 
>>
>> 
>> 4
>> invalid_login|adduser|blah|andsoon
>> 192.168.0.5
>> 
>>
>>
>> Thanks!
>> Bob
>>
>>
>> -- 
>>
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> -- 
> Victor M. Fernandez-Castro
> IT Security Engineer
> Wazuh Inc.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] syslog_output question

[Victor Fernandez]

Hi Robert,

OSSEC should take these settings independently:

   - Configuration A will send alerts with level 8 or higher.
   - Configuration B will send alerts with level 4 or higher (including
   alerts sent by the former setting) belonging to these groups.

So you'll receive duplicate alerts. One option would be to enter every
groups but the specified in the configuration B.

Let me tell you that Wazuh agents include an improvement that allow to
negate expressions. So you may use a setting like this one::


8
192.168.0.5
!invalid_login|adduser|blah|andsoon



4
invalid_login|adduser|blah|andsoon
192.168.0.5



Hence you'll have alerts with level 4 or higher (even 8 or more) belonging
to these groups, plus alerts with level 8 or higher of any other group.

Hope it help.
Best regards.


On Mon, Jul 10, 2017 at 10:29 PM, Robert B  wrote:

> This was a little unclear to me after reading the documenation and
> searching around...pardon if it's been asked and answered, I simply have
> not found it.
>
> We have a single server we want to send syslog output to, however, we also
> want to have different levels for some alerts.   Would it be as simple as
> two syslog_output sections, such as below, or would this create duplicate
> alerts, take the last syslog_output section, or can it be done in a single
> section?
>
> 
> 8
> 192.168.0.5
> 
>
> 
> 4
> invalid_login|adduser|blah|andsoon
> 192.168.0.5
> 
>
>
> Thanks!
> Bob
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Victor M. Fernandez-Castro
IT Security Engineer
Wazuh Inc.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] syslog_output question

[Robert B]

This was a little unclear to me after reading the documenation and 
searching around...pardon if it's been asked and answered, I simply have 
not found it.

We have a single server we want to send syslog output to, however, we also 
want to have different levels for some alerts.   Would it be as simple as 
two syslog_output sections, such as below, or would this create duplicate 
alerts, take the last syslog_output section, or can it be done in a single 
section?   


8
192.168.0.5



4
invalid_login|adduser|blah|andsoon
192.168.0.5

   

Thanks!
Bob


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.